What Schools Should Know About GDPR, PDPA, and Cross-Border Data Compliance
A plain-language overview of the data privacy regulations most relevant to international schools, and what they mean in practice for admins and IT managers.
International schools occupy a complex position in the world of data privacy. They collect and process sensitive personal data about students, families, and staff - and they frequently do so across multiple jurisdictions. A school based in Bangkok may enrol students from 40 countries, use a cloud platform hosted in Ireland, and employ staff who are citizens of a dozen different nations. Each of these dimensions can carry regulatory implications.
This article does not constitute legal advice, and schools should always seek qualified legal guidance for their specific situation. What it does provide is a practical overview of the most relevant regulations and the questions every school admin and IT manager should be asking.
Data privacy compliance is not a one-time project. It is an ongoing operational responsibility that touches system configuration, staff training, vendor management, and school policy. The starting point is understanding which regulations apply to your school - not assuming one framework covers everything.
The Key Regulations and Who They Apply To
GDPR - General Data Protection Regulation (European Union)
GDPR is the most widely referenced data protection regulation globally. It applies to any organisation that processes the personal data of individuals in the EU or UK, regardless of where the organisation itself is based. For international schools, this means that if you have students or families who are EU or UK residents, GDPR is likely relevant - even if your school is located in Asia or the Middle East.
Key principles for schools under GDPR include: collecting only the data you need (data minimisation), keeping it only as long as necessary (storage limitation), securing it appropriately, and being transparent with families about how it is used. Parents and students above a certain age also have the right to access, correct, and in some cases delete their data.
PDPA - Personal Data Protection Act (Thailand, and variations in other countries)
Thailand's PDPA, which came into full effect in 2022, applies to any organisation processing the personal data of individuals in Thailand. Schools operating in Thailand must comply regardless of whether their systems are hosted locally or internationally. Similar legislation exists in many other countries across Asia and the Middle East under different names - including Singapore's PDPA, Malaysia's PDPA, and others. Schools should identify which national legislation applies to their operating jurisdiction.
FERPA (United States)
FERPA applies to educational institutions that receive US federal funding. For most international schools, FERPA will not apply directly - but schools following an American curriculum or serving a significant US population may face families who expect FERPA-style protections and raise them in discussions about data access rights.
Other Frameworks to Be Aware Of
Schools accredited by bodies such as CIS or WASC may also encounter data governance expectations as part of accreditation standards. These are not legal regulations but can carry significant operational weight. Schools in the Middle East may be subject to national data localisation requirements that affect where data can be stored and processed.
Practical Compliance Questions Every School Should Answer
| Question | Why It Matters |
|---|---|
| Which data protection regulations apply to our school? | You cannot comply with regulations you have not identified; start here |
| Where is our student data stored and processed? | Data localisation requirements in some countries restrict cross-border data transfers |
| Do we have a lawful basis for collecting each type of data we hold? | Most frameworks require a defined legal basis (consent, contract, legitimate interest) for processing personal data |
| Are our third-party vendors - including Faria - processing data under appropriate agreements? | Schools remain responsible for data processed on their behalf by vendors; data processing agreements (DPAs) are required under most frameworks |
| Can we respond to a parent or student data access request within the required timeframe? | GDPR requires responses within 30 days; many other frameworks have similar requirements |
| Do we have a documented data breach response procedure? | Most regulations require notification of breaches to authorities and affected individuals within a defined window |
What This Means for Your Faria Platform Configuration
Using cloud-based platforms like ManageBac+, OpenApply, Atlas, and SchoolsBuddy means that student and staff personal data is processed by a third-party vendor. Under most data protection frameworks, the school remains the data controller - meaning you retain responsibility for how that data is used, even when it is processed by Faria's systems.
Practical steps to take in relation to your Faria platforms:
- Confirm that a Data Processing Agreement (DPA) is in place with Faria - this is a standard requirement under GDPR and many other frameworks
- Review where data is hosted - Faria can confirm the location of data processing and storage for your region; this matters for schools in countries with data localisation requirements
- Limit data collection to what is necessary - review the fields you are collecting in OpenApply and ManageBac+ and consider whether all of them are required for your operational purposes
- Ensure your privacy notice to families covers Faria's data processing - families should be informed that their data is processed by third-party platforms as part of the school's operations
Faria's security and data protection information is available at faria.org/secure.
Tips and Considerations
- Appoint a designated privacy lead - some frameworks require a formal Data Protection Officer (DPO); even where this is not legally required, having a named internal lead improves accountability and response times
- Keep a record of processing activities - a simple register of what data you collect, why, where it is stored, and how long you keep it is a fundamental compliance tool and is required under GDPR for most organisations
- Train staff on their data handling obligations - compliance failures often result from well-meaning staff sharing or accessing data without understanding the rules; annual awareness training is a minimum
- Review your privacy notices annually - as your systems and data practices evolve, your privacy documentation should too
In Summary
- International schools typically operate under multiple data protection frameworks simultaneously - identify which ones apply to your school before designing your compliance approach.
- The school remains the data controller even when using third-party platforms like ManageBac+ or OpenApply; ensure appropriate agreements are in place with all vendors.
- Practical compliance starts with knowing what data you hold, why you hold it, where it is stored, and who can access it.
- Annual staff training and up-to-date privacy notices are the baseline for operational compliance.
This article provides general guidance only and does not constitute legal advice. Schools should seek qualified legal counsel for advice specific to their jurisdiction and circumstances. For information on how Faria handles data security and privacy, visit faria.org/secure.